AWS authentication, permissions, and supported regions 🔗
To connect your AWS services to Splunk Observability Cloud you need:
Administrator privileges in your Splunk Observability Cloud and your AWS accounts.
AWS authentication rights. You can authenticate either with an External ID (recommended) or using a security token.
Authenticate in AWS using an External ID (recommended) 🔗
In AWS you manage access by creating policies and attaching them to IAM identities or AWS resources. A policy is a JSON object that associates an identity or resource with access permissions. When a user (in this case, your account in Splunk Observability Cloud) makes a request, AWS evaluates the associated policy and determines whether the request is allowed or denied.
For most AWS regions, use External ID to authenticate. Follow these steps:
An External ID for Splunk Observability Cloud. An external ID is a random string used to establish a trust relationship between Splunk Observability Cloud and your AWS account. It’s automatically generated for you when you create a new AWS integration in Splunk Observability Cloud.
To learn how to create an External ID, see How to use an external ID when granting access to your AWS resources to a third party in AWS documentation.
You can also create an External ID using the API. See Create an external AWS ID.
An AWS IAM role.
Create an AWS IAM policy 🔗
Splunk Observability Cloud refers to an IAM policy to collect data from every supported AWS service.
To create a new AWS IAM policy, follow these steps:
Log into your Amazon Web Services account and look for the Identity and Access Management (IAM) service.
Create a new policy. In the JSON tab, replace the placeholder JSON with the pertinent AWS IAM policy JSON. Guided setup provides this policy in the Prepare AWS Account step. See also some policy examples.
Follow the instructions to complete the process and create the policy.
If you have any doubts, check AWS documentation.
Create an AWS IAM role 🔗
After creating an AWS IAM policy, you need to assign that policy to a particular role by performing the following steps in the Amazon Web Services console:
Go to Roles, then Create Role, and select Another AWS account as the type of trusted entity.
Copy and paste the Account ID displayed in either guided setup or the numeric value within
sfxAwsAccountArnfrom API call’s response into the Account ID field.Select Require external ID. Copy and paste the External ID displayed in the guided setup or
externalIdfrom API call’s response into the External ID field.Continue with Next: Permissions. Under Policy name, select the policy you made in the previous step.
Follow the instructions, and name and create your new AWS IAM role.
Creating the AWS IAM role generates the Role ARN used to establish connection with AWS. Copy the created ARN role, and paste it into the Role ARN field in the guided setup.
If you have any doubts, check AWS documentation.
Authenticate in AWS using a security token 🔗
For the GovCloud or China regions, select the option to authenticate using a secure token, which combines an Access key ID and Secret access key you’ll create in your AWS Console.
When you’re creating the new permission for your user and are prompted for an access key practice, select Third-party service.
Required permissions 🔗
These are the required permissions to collect AWS data:
Required permissions in Splunk Observability Cloud 🔗
Regardless of the services you want to use, you need the following permissions:
organizations:DescribeOrganization. Only needed when Amazon cost and usage metrics are activated.ec2:DescribeRegionstag:GetResources
Permissions for the CloudWatch API 🔗
Besides the required permissions, include these permissions to allow Splunk Observability Cloud to collect AWS metrics using the CloudWatch API:
cloudwatch:GetMetricDatacloudwatch:ListMetrics
For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ec2:DescribeRegions",
"organizations:DescribeOrganization",
"tag:GetResources"
],
"Resource": "*"
}
]
}
Permissions for Metric Streams 🔗
Besides the required permissions, include these permissions to allow Splunk Observability Cloud to collect AWS metrics using CloudWatch Metric Streams:
"cloudwatch:DeleteMetricStream""cloudwatch:GetMetricStream""cloudwatch:ListMetricStreams""cloudwatch:ListMetrics""cloudwatch:PutMetricStream""cloudwatch:StartMetricStreams""cloudwatch:StopMetricStreams""iam:PassRole"
These permissions include the MetricStream phrase and the iam:PassRole permissions. Note the iam:PassRole permission is restricted to resources matching the arn:aws:iam::*:role/splunk-metric-streams* pattern.
For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStream"
"cloudwatch:ListMetricStreams",
"cloudwatch:PutMetricStream",
"cloudwatch:DeleteMetricStream",
"cloudwatch:StartMetricStreams",
"cloudwatch:StopMetricStreams",
"ec2:DescribeRegions",
"organizations:DescribeOrganization",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/splunk-metric-streams*"
}
]
}
Permissions for tag and properties collection 🔗
On top of the required permissions, you also need to include the specific permissions for the services you use in your AWS IAM policy to allow Splunk Observability Cloud to collect specific AWS tags and properties. You’ll be able to use Infrastructure Monitoring to filter metrics based on those tags and properties.
These are these permissions to allow Splunk Observability Cloud to collect AWS tags and properties:
"apigateway:GET""autoscaling:DescribeAutoScalingGroups""cloudformation:ListResources""cloudformation:GetResource""cloudfront:GetDistributionConfig""cloudfront:ListDistributions""cloudfront:ListTagsForResource""directconnect:DescribeConnections""dynamodb:DescribeTable""dynamodb:ListTables""dynamodb:ListTagsOfResource""ec2:DescribeInstances""ec2:DescribeInstanceStatus""ec2:DescribeNatGateways""ec2:DescribeRegions""ec2:DescribeReservedInstances""ec2:DescribeReservedInstancesModifications""ec2:DescribeTags""ec2:DescribeVolumes""ecS:DescribeClusters""ecs:DescribeServices""ecs:DescribeTasks""ecs:ListClusters""ecs:ListServices""ecs:ListTagsForResource""ecs:ListTaskDefinitions""ecs:ListTasks""elasticache:DescribeCacheClusters""elasticloadbalancing:DescribeLoadBalancerAttributes""elasticloadbalancing:DescribeLoadBalancers""elasticloadbalancing:DescribeTags""elasticloadbalancing:DescribeTargetGroups""elasticmapreduce:DescribeCluster""elasticmapreduce:ListClusters""es:DescribeElasticsearchDomain""es:ListDomainNames""kinesis:DescribeStream""kinesis:ListShards""kinesis:ListStreams""kinesis:ListTagsForStream"“kinesisanalytics:DescribeApplication”“kinesisanalytics:ListApplications”"kinesisanalytics:ListTagsForResource""lambda:GetAlias""lambda:ListFunctions""lambda:ListTags""rds:DescribeDBInstances""rds:ListTagsForResource""redshift:DescribeClusters""redshift:DescribeLoggingStatus""s3:GetBucketLocation""s3:GetBucketTagging""s3:ListAllMyBuckets""s3:ListBucket""states:ListActivities""states:ListStateMachines""sqs:GetQueueAttributes""sqs:ListQueues""sqs:ListQueueTags""tag:GetResources""workspaces:DescribeWorkspaces"
Note
Cassandra permissions are declared as a separate object. See the example below.
Add the "<service>:<permission>" pair relevant to each service in the Action array of the AWS IAM policy JSON. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:ListResources",
"cloudformation:GetResource",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudfront:ListTagsForResource",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"directconnect:DescribeConnections",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNatGateways",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTagsForResource",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticache:DescribeCacheClusters",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"kinesis:DescribeStream",
"kinesis:ListShards",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesisanalytics:DescribeApplication",
"kinesisanalytics:ListApplications",
"kinesisanalytics:ListTagsForResource",
"lambda:GetAlias",
"lambda:ListFunctions",
"lambda:ListTags",
"logs:DeleteSubscriptionFilter",
"logs:DescribeLogGroups",
"logs:DescribeSubscriptionFilters",
"logs:PutSubscriptionFilter",
"organizations:DescribeOrganization",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ListQueueTags",
"states:ListActivities",
"states:ListStateMachines",
"tag:GetResources",
"workspaces:DescribeWorkspaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cassandra:Select"
],
"Resource": [
"arn:aws:cassandra:*:*:/keyspace/system/table/local",
"arn:aws:cassandra:*:*:/keyspace/system/table/peers",
"arn:aws:cassandra:*:*:/keyspace/system_schema/*",
"arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/tags",
"arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/tables",
"arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/columns"
]
}
]
}
Permissions for log collection 🔗
These are the permissions to allow Splunk Observability Cloud to collect AWS logs. Include those related to your service in your IAM policy.
"cloudfront:GetDistributionConfig""cloudfront:ListDistributions""cloudfront:ListTagsForResource""ec2:DescribeRegions""elasticloadbalancing:DescribeLoadBalancerAttributes""elasticloadbalancing:DescribeLoadBalancers""elasticloadbalancing:DescribeTags""elasticloadbalancing:DescribeTargetGroups""logs:DeleteSubscriptionFilter""logs:DescribeLogGroups""logs:DescribeSubscriptionFilters""redshift:DescribeClusters""redshift:DescribeLoggingStatus""s3:GetBucketLogging""s3:GetBucketNotification""s3:ListAllMyBuckets""s3:ListBucket""s3:PutBucketNotification""tag:GetResources"
Permissions for usage collection and reports 🔗
Include these permissions to allow Splunk Observability Cloud to collect AWS usage data and reports:
"ec2:DescribeRegions""organizations:DescribeOrganization"
Supported AWS regions 🔗
If you want to activate a specific optional region, you need to do it before adding it to the integration. Make sure you’ve activated the optional regions you’ll need in your AWS console first. Regular regions are activated in AWS by default.
If you’re using the UI guided setup to create the integration, you’ll be prompted to select which AWS regions you work with.
If you’re using the API and supply an empty list in an API call, Splunk Observability Cloud activates all regular regions. If you add the
ec2:DescribeRegionspermission to your AWS policy, optional regions you’ve activated on your AWS account are activated in Splunk Observability Cloud as well. Although empty regions list configuration is possible via the API, it is highly discouraged since it can lead to an unexpected cost increase whenever a new region is enabled on the AWS account.
Note
When you edit an existing integration that was configured with an empty list of regions, the UI guided setup will automatically populate the regions list to include regions enabled on your AWS account if your policy contains ec2:DescribeRegions permission. Otherwise, it will populate the list with all regular AWS regions. If you previously created an integration using the UI guided setup and used the default all regions configuration, it also will get migrated accordingly. This migration will not impact what data we currently collect for any edited integrations.
Splunk Observability Cloud supports the following AWS regions:
Regular 🔗
ap-northeast-1: Asia Pacific (Tokyo)ap-northeast-2: Asia Pacific (Seoul)ap-northeast-3: Asia Pacific (Osaka)ap-south-1: Asia Pacific (Mumbai)ap-southeast-1: Asia Pacific (Singapore)ap-southeast-2: Asia Pacific (Sydney)ca-central-1: Canada (Central)eu-central-1: Europe (Frankfurt)eu-north-1: Europe (Stockholm)eu-west-1: Europe (Ireland)eu-west-2: Europe (London)eu-west-3: Europe (Paris)sa-east-1: South America (Sao Paulo)us-east-1: US East (N. Virginia)us-east-2: US East (Ohio)us-west-1: US West (N. California)us-west-2: US West (Oregon)
Optional 🔗
af-south-1: Africa (Cape Town)ap-east-1: Asia Pacific (Hong Kong)ap-south-2: Asia Pacific (Hyderabad)ap-southeast-3: Asia Pacific (Jakarta)ap-southeast-4: Asia Pacific (Melbourne)eu-central-2: Europe (Zurich)eu-south-1: Europe (Milan)eu-south-2: Europe (Spain)me-central-1: Middle East (UAE)me-south-1: Middle East (Bahrain)
GovCloud 🔗
us-gov-east-1: AWS GovCloud (US-East)us-gov-west-1: AWS GovCloud (US-West)
China 🔗
cn-north-1: China (Beijing)cn-northwest-1: China (Ningxia)